I agree to TechTarget’s Terms of Use, Privacy Policy, and the transfer of my information to the United States for processing to provide me with relevant information as described in our Privacy Policy.

Please check the box if you want to proceed.

I agree to my information being processed by TechTarget and its Partners to contact me via phone, email, or other means regarding information relevant to my professional interests. I may unsubscribe at any time.

Please check the box if you want to proceed.

By submitting my Email address I confirm that I have read and accepted the Terms of Use and Declaration of Consent.

methods. One of the most significant configurations to focus on during installation is that of the GPO for VDI OS images.

When beginning a new deployment, it's important to consider how the images will be managed. As a best practice, you should simplify down to one or two images. All typical configuration options and security settings need to be done through Active Directory Organizational Units (ADOUs) and Group Policies. Therefore, when creating virtual desktops in any VDI solution, the desktops should be deployed into predefined Organizational Units (OUs).

Forming predefined OUs with associated Group Policy Objects (GPOs) should be a common practice for any VDI installation.Configuring OUs in Active Directory allows the administrator full control over all settings associated with the desktop, along with the users' desktop experience. Another benefit to this setup is that the VDI deployment can then use technology that has been available in any Microsoft network for many years.

When OUs are created and a GPO is applied to them, then the virtual desktops upon formation are to be placed in these organizational units. The following are example use cases of how Active Directory GPOs have accomplished these previously discussed configuration tasks.

Use Case 1: The Call Center desktopDescription:

A group of virtual desktops is to be created for about 100 users. These users are lower level Windows users that are to be restricted from viewing certain menus in Windows.

The Start Menu is to be pared down to remove the Run Menu, Help Menu and Network Places.

The desktop type is to be non-persistent. (Meaning, when a user logs off and logs back in to the desktop, it will be clean).

Active Directory configuration:

Create a new OU called "CallCenterVD".

Then create a Group Policy for this OU. The settings that are to be configured for this GPO are:

Allow Log On Through Terminal Services = "Domain Users" (This is done so anyone can log-in that has domain rights, but the real desktop login control will be done through the VDI solution Connection Broker

A group of virtual desktops is to be created for about 20 IT administrators. The user is a higher-level user that is to be allowed full access.

The desktop type is to be persistent. (When a user logs on their profile and other user settings are to be redirected to a home directory. When they log off and log in the profile will not need to roam between desktops and they will have their desktop with all saved settings and options).

Active Directory configuration:

Create a new OU called "PersistentITVD".

Then create a Group Policy for this OU. The settings that are to be configured for this GPO are:

Allow Log On Through Terminal Services = "Domain Users" (This is done so anyone can log-in that has domain rights, but the real desktop login control will be done through the VDI solution Connection Broker)

These two use case examples are only the beginning of what a virtual desktop planning session needs to contain for OU creation. There are many features and controls in Active Directory that allow the VDI administrator to design numerous configurations. Keep in mind that sometimes a simpler configuration is better, as complexity can cause problems with any deployment.

ABOUT THE AUTHOR:Brad Maltz is CTO of International Computerware, a national consulting firm focused on virtualization and storage technologies. He holds certifications from VMware and EMC for many technologies. Brad can be reached at bmaltz@iciamerica.com for any questions, comments or suggestions.

Join the conversation

1 comment

Register

I agree to TechTarget’s Terms of Use, Privacy Policy, and the transfer of my information to the United States for processing to provide me with relevant information as described in our Privacy Policy.

Please check the box if you want to proceed.

I agree to my information being processed by TechTarget and its Partners to contact me via phone, email, or other means regarding information relevant to my professional interests. I may unsubscribe at any time.

Your password has been sent to:

Please create a username to comment.

The terminal services profile can be setup within the user object properties in Active Directory (AD), just like a normal profile is setup, albeit in a different tab configure folder redirection for the user’s ‘documents desktops favorites and to the controversial folder application data’ when you redirect a folder to a share on another server you are actually telling the system not to load and unload these folders whenever the user logs in and logs out respectively.